Along with the improvement in technology, the trends exhibited by cyber attackers also grow. Quishing is one of such emerging threats, a kind of phishing that primarily exploits a QR code to cheat an individual. Quishing makes use of QR codes unlike other types of phishing, which depend upon malicious links or email attachments. It has thus become much more trendy among the cyber attackers due to convenience and apparent security it offers. Quishing has emerged as a significant cyber threat that prevails targeting unsuspecting users due to the rise in mobile payments, contactless services, and QR code-based authentication in India.
What is Quishing?
Quishing is a type of phishing attack wherein attackers will send out QR codes that are used to siphon sensitive information or download malware on the device. Generally, a Quishing scam creates a QR code that, when scanned by the target, directs the user to a malicious website whereby login credentials, personal information, and financial data are stolen. The codes appear legitimate so that one will not recognise them as any kind of threat.
How Quishing Works: A Step-by-Step Breakdown?
- Creating Phishing QR Codes: Thieves create a phishing QR code which, when opened in the smartphone’s internet browser, causes the smartphone to open a phishing website or downloads malware onto the smartphone.
- Camouflage of the QR Code: Thieves then place the QR code on various media—be it flyers, posters, social media posts, or even phishing emails masquerading as official communications.
- Scanning by the Victim: The user scans the QR code, believing it to be legitimate using his smartphone.
- Implementation of the Attack: Once scanning is conducted, the victim will then be forwarded or redirected to a phishing website which resembles the authentic website but is controlled by the attacker. The hacker can prompt the user to enter sensitive information such as login details, which are then stolen.
Real-Life Examples of Quishing in India
- Phantom Registration for Events: A webinar was conducted by a university in Delhi at the national level. QR codes were used by the university to ease registration during the event. Cybercriminals posted a photo of the registration poster, replaced the original QR code with a fake one, and spread it on WhatsApp and social media. Students who scanned the fake QR code got redirected to a phishing page that asked for bank details for “registration confirmation,” resulting in cases of multi identity thefts and financial frauds.
- Restaurant Payment Frauds – In Mumbai, many consumers have reported that at different cafes which were touting UPI payments, the displayed QR codes were changed by scammers to trick money directly into their accounts by replacing the actual QR codes. The scam spread across several popular cafes before the scam was discovered and busted by the authorities.
- Cinema Hall Scam – Quishing was recently used in Hyderabad against a well known cinema hall. Fraudsters put up QR codes at the entrance and claimed to give a “special discount” on movie tickets. The users, scanning the code, were redirected to a malicious site that looked precisely the same as the tickets buying page of the official site and were duped into their credit card number.
Actual Cases in India due to Quishing
- Mumbai Payment Scam 2023: A series of cases in Mumbai saw Quishing victims getting fleeced while making transactions at restaurants and stores. Their UPI QR codes had been tampered with by the fraudsters, who were taking straight cash withdrawals to their bank accounts. Customers said they lost thousands before a shop realised something was amiss.
- Bengaluru: Men with ‘honest’ faces attach fake QR code on parking meters to receive money directly from customers, 2022: Frauds attached the fake QR codes on the publicly placed parking meters. The customer scans the code for the payment of parking, where the fraudster would have received the money directly into the accounts.
Actual Cases in India due to Quishing
- Verify the source of the QR code before scanning it. In other words, if it is on a poster or flyer, then ensure that it is from a trustworthy source. Be alert to QR codes that have been placed either in public or where they don’t seem to belong.
- Verify URLs Upon Redirect: When you are redirected to a web page from scanning a QR code, verify the URL. Determine if it’s a secured web page (look for “https”). If so, verify that it is the correct web page before entering your personal information.
- Use a QR Scanner with Safety Feature Implement an application which features a QR scanner. Many such applications scan the link’s safety before it opens in your eyes. Use such an application to scan QR codes rather than making use of the native camera application to do so.
- Avoid Display of Personal Information Immediately After scanning a QR code, and before you are redirected to a website that requires information like banking or login details, you will know to be very careful because the website might not be authentic. You will be required to confirm whether the website is original independently before proceeding with any information.
- Offers that sound too good to be true: Quishing attacks are those that usually attract users with offers, prizes, or freebies. If it sounds too good to be true, then it probably is
- Report suspicious QR codes : When you encounter a suspicious QR code in any public place, report it immediately to the respective authorities in order not to waste others’ time and money.
- Update your devices and mobile apps: Make sure your smartphone’s operating system and apps are updated with the latest security patches. This should protect you against malware that might infiltrate your device if you unknowingly scan a malicious QR code.
- Implement Two-Factor Authentication: Where possible, turn on 2FA for online accounts. If it’s phishing that accesses your credentials, 2FA might be your alternate hope.
Conclusion
Quishing is an emerging threat in the cyber world; thus, with increasing services that are reconfiguring QR codes for transactions and authentication, the chances of getting a victim to such attacks will increase even higher. Being fully embracing the facilities of using QR codes, the users should look vigilant and follow safe practices not to become a victim of Quishing or any such attack. Being vigilant and cautious, individuals as well as businesses would remain safe from the threats of Quishing and many other cyber attacks
